Apache Tomcat Patched Most Of The Remote Code Execution Flaw

The Apache Tomcat team recently patched several security vulnerabilities in Apache Tomcat, one of which could allow an unauthorized attacker to execute malicious code on affected servers remotely.

Apache Tomcat, developed by the Apache Software Foundation (ASF), is a web server system and the open source servlet, which uses a number of Java EE specifics such as Java Servlet, Java Server Pages (JSP), Expression Language and WebSocket and provides a “pure Java” HTTP Web server environment to run the Java concept.

Unlike the vulnerability in Apache Struts2 recently exploited to violate the information systems of the American credit agency Equifax, Apache Tomcat defects are less likely to be exploited.

“The versions prior to 9.0.1 Tomcat (Beta), 5.8.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code execution (RCE) vulnerability on all operating systems if the default servlet is configured with the only read-only parameter or the WebDAV servlet is enabled with the read-only parameter set to false, “says Peter Stöckli of Alphabot Security.

Exploitation of this vulnerability requires that an attacker could load a bad JSP (Java Server page) to a target server running an affected version of Apache Tomcat and the code inside the JSP file will be executed by the server when the file is required.

To load malicious JSP software, the attacker only needs to send an HTTP PUT request to the vulnerable server, as mentioned in the Explode Proof of Concept (PoC) code, published by Peter Apache’s mailing list.

The exploit would allow the attacker to execute malicious code on the target server.
“Because this feature is not typically required, the system most exposed to the public will not only have read the set false and therefore will not be affected,” says Peter.

This RCE vulnerability, marked “Important,” affects all versions of Apache Tomcat 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.46 and 7.0.0 8.0.0.RC1 to 7 , 0. 81, and has been addressed with the release of Tomcat versions 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82.

A similar security issue (CVE-2017-12615) discovered in Tomcat on Windows 7 has been patched by Apache Tomcat developers on September 19th with the release of version 7.0.81.

Official Hacker is your news, tips and tricks website. We provide you with the latest hacking news and hacking tutorials straight from the cyber industry.
OUR MOTTO:- Security In a Professional Way.
According To FeedSpot, We Are Awarded As One Of The Top 75 Hacker Blogs Available On The Web. (Securing 45th Position)